[Openid-specs-ab] Simplifying preferred_locales and max_age

Brian Campbell bcampbell at pingidentity.com
Mon Feb 4 20:22:24 UTC 2013


I'm pretty sure you don't need statistics to infer that I was surfing porn
and gambling sites. Just sayin' ;)

But I (reluctantly) see your point about max_age.

The spec could probably be clearer/stronger about the expected behavioral
though. There's a little "must" about actively re-authenticating but
nothing saying that an error must be returned or anything. And it's all
nestled inside text about the request object which, I think anyway, is
pretty much telling the OP what to try and do but not to return an error,
if conditions can't be met.


On Mon, Feb 4, 2013 at 1:11 PM, John Bradley <ve7jtb at ve7jtb.com> wrote:

> As long as the client has something to evaluate then not signing it is OK.
>
> The reason for not coupling them was privacy.  That way a privacy
> respecting IdP could honour the request but not disclose when the IdP
> session started.
>
> Suppose I send a authorization request with a max_auth_age of 2 weeks to
> the IdP perhaps reasonable, I think Yahoo's sessions are typically 4 weeks.
>
> I get back a auth_time of 2am last night.  I may now be able to infer that
> you were surfing porn or gambling sites statistically.
>
> It is a small info leak but one we were trying to avoid being criticized
> over.
>
> The value of auth_time is a timestamp and I hate messing with special
> values.
>
> Perhaps we need to return a "max_auth_age" : true claim if the claim
> request is met.
>
> In openID 2 the logic was ask for max_auth_age and get back auth_time.
>  But as I say that was seen as bad for privacy.
>
> This would be much easier without privacy concerns,  just saying:)
>
> John B.
>
>
>
> On 2013-02-04, at 12:53 PM, Brian Campbell <bcampbell at pingidentity.com>
> wrote:
>
> I wasn't saying that there shouldn't be a way to ask for auth_time. But
> rather questioning the claim (pun intended) that singing the max_auth_age
> request was really that important or provided a great deal of value (as the
> client should validate what it gets back regardless of what it asked for).
>
>
> On Mon, Feb 4, 2013 at 12:12 PM, John Bradley <ve7jtb at ve7jtb.com> wrote:
>
>> No but there are currently two separate requests, one for the
>> max_auth_age and the other requesting the auth_time claim.  The current
>> spec doesn't couple them.
>> Removing a way for the client to ask for auth_time in the response to
>> determine if max_auth_age was acted on is a problem.
>>
>> The solution may be simple by just saying that you need to return
>> auth_time if the authorization server honours the max_auth_age request.
>>
>>
>> On 2013-02-04, at 11:55 AM, Brian Campbell <bcampbell at pingidentity.com>
>> wrote:
>>
>> In general isn't it really incumbent upon the client/RP to validate
>> security sensitive things, like auth_time and acr, as needed in the
>> response?
>>
>> That's how I've read it anyway, that the client can make whatever request
>> it wants but that the OP isn't necessarily obligated (or capable) to live
>> up to what is requested. And the client needs to enforce things that are
>> important to it.
>>
>> Is my interpretation wrong on that?
>>
>> On Fri, Feb 1, 2013 at 5:09 PM, John Bradley <ve7jtb at ve7jtb.com> wrote:
>>
>>>
>>> For max_age you don't necessarily want the user to be able to modify
>>> that in the request, that might cause security issues if auth_time is not
>>> required in the response, the RP may be thinking it is getting a stronger
>>> authentication than it is in reality.
>>>
>>> I would prefer to leave max_age in the signed request and not confuse
>>> the lower security parameter based request with it.
>>>
>>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20130204/86cafd35/attachment.html>


More information about the Openid-specs-ab mailing list